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Abstract 

] Although a quantum state requires exponentially many classical bits to describe, the laws of quantum 

. mechanics impose severe restrictions on how that state can be accessed. This paper shows in three settings 

' that quantum messages have only limited advantages over classical ones. 

, First, we show that BQP/qpoly C PP/poly, where BQP/qpoly is the class of problems solvable in 

■ quantum polynomial time, given a polynomial-size "quantum advice state" that depends only on the input 
O ' length. This resolves a question of Buhrman, and means that we should not hope for an unrelativized 

separation between quantum and classical advice. Underlying our complexity result is a general new 
relation between deterministic and quantum one-way communication complexities, which applies to partial 
as well as total functions. 

Second, we construct an oracle relative to which NP ^ BQP/qpoly. To do so, we use the polynomial 
' method to give the first correct proof of a direct product theorem for quantum search. This theorem has 

, other applications; for example, it can be used to fix a fiawed result of Klauck about quantum time-space 

. tradeoffs for sorting. 

' Third, we introduce a new trace distance method for proving lower bounds on quantum one-way com- 

, munication complexity. Using this method, we obtain optimal quantum lower bounds for two problems 

■ of Ambainis, for which no nontrivial lower bounds were previously known even for classical randomized 
'nI ' protocols. 

O ; 

CLii 1 Introduction 

^ ' How many classical bits can "really" be encoded into n qubits? Is it n, because of Holevo's Theorem [18]; 2n, 
^ , because of dense quantum coding and quantum teleportation [5] ; exponentially many, because of quantum 
fingerprinting jJT]; or infinitely many, because amplitudes are continuous? The best general answer to this 
question is probably mu, the Zen word that "unasks" a question.^ 

To a computer scientist, however, it is natural to formalize the question in terms of quantum one-way 
communication complexity [51 II 11 [T^ I39| . The setting is as follows: Alice has an n-bit string x, Bob has an 
• TO-bit string y, and together they wish to evaluate / {x,y) where / : {0, l}" x {0, 1}™ — *■ {0, 1} is a Boolean 
5^ , function. After examining her input x = xi . . Alice can send a single quantum message px to Bob, 
whereupon Bob, after examining his input y ^ yi . . . ym, can choose some basis in which to measure px- He 
must then output a claimed value for / {x, y). We are interested in how long Alice's message needs to be, for 
Bob to succeed with high probability on any x,y pair. Ideally the length will be much smaller than if Alice 
had to send a classical message. 

Communication complexity questions have been intensively studied in theoretical computer science (see 
the book of Kushilevitz and Nisan j22j for example). In both the classical and quantum cases, though, most 
attention has focused on two-way communication, meaning that Alice and Bob get to send messages back 
and forth. We believe that the study of one-way quantum communication presents two main advantages. 
First, many open problems about two-way communication look gruesomely difficult — for example, are the 
randomized and quantum communication complexities of every total Boolean function polynomially related? 
We might gain insight into these problems by tackling their one-way analogues first. And second, because 

* Email: aaronson@ias.edu. This work was performed while the author was a graduate student at UC Berkeley. Supported 
by an NSF Graduate Fellowship, by NSF ITR Grant CCR-0121555, and by the Defense Advanced Research Projects Agency 
(DARPA). 

^Another m«- worthy question is, "Where does the power of quantum computing come from? Superposition? Interference? 
The large size of Hilbert space?" 
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of its greater simplicity, the one-way model more directly addresses our opening question: how much "useful 
stuff' can be packed into a quantum state? Thus, results on one-way communication fall into the quantum 
information theory tradition initiated by Holevo |18j and others, as much as the communication complexity 
tradition initiated by Yao [37] . 

Related to quantum one-way communication is the notion of quantum advice. As pointed out by Nielsen 
and Chuang p. 203], there is no compelling physical reason to assume that the starting state of a quantum 
computer is a computational basis state:^ 

[W]e know that many systems in Nature 'prefer' to sit in highly entangled states of many systems; 
might it be possible to exploit this preference to obtain extra computational power? It might be 
that having access to certain states allows particular computations to be done much more easily 
than if we are constrained to start in the computational basis. 

One way to interpret Nielsen and Chuang's provocative question is as follows. Suppose we could request 
the best possible starting state for a quantum computer, knowing the language to be decided and the input 
length n but not knowing the input itself.-^ Denote the class of languages that we could then decide by 
BQP/qpoly — meaning quantum polynomial time, given an arbitrarily-entangled but polynomial-size quantum 
advice state. ^ How powerful is this class? If BQP/qpoly contained (for example) the NP-complete problems, 
then we would need to rethink our most basic assumptions about the power of quantum computing. We will 
see later that quantum advice is closely related to quantum one-way communication, since we can think of an 
advice state as a one-way message sent to an algorithm by a benevolent "advisor." 

This paper is about the limitations of quantum advice and one-way communication. It presents three 
contributions which are basically independent of one another. 

First, Section |3| shows that (/) = O (rnQ\ {f)\ogQ\ (/)) for any Boolean function /, partial or total. 
Here (/) is deterministic one-way communication complexity, Q\ (/) is bounded-error one-way quantum 
communication complexity, and m is the length of Bob's input. Intuitively, whenever the set of Bob's possible 
inputs is not too large, Alice can send him a short classical message that lets him learn the outcome of any 
measurement he would have wanted to make on the quantum message ■ It is interesting that a slightly tighter 
bound for total functions — (/) ~ O {mQ\ (/)) — follows easily from a result of Klauck together with a 
lemma of Sauer |33| about VC-dimcnsion. However, the proof of the latter bound is highly nonconstructive, 
and seems to fail for partial /. 

Using our communication complexity result, in Section ITTI we show that BQP/qpoly C PP/poly — in other 
words, BQP with polynomial-size quantum advice can be simulated in PP with polynomial-size classical 
advice.^ This resolves a question of Harry Buhrman (personal communication), who asked whether quantum 
advice can be simulated in any classical complexity class with short classical advice. A corollary of our 
containment is that we cannot hope to show an unrelativized separation between quantum and classical 
advice (that is, that BQP/poly 7^ BQP/qpoly), without also showing that PP does not have polynomial-size 
circuits. 

What makes this result surprising is that, in the minds of many computer scientists, a quantum state is 
basically an exponentially long vector. Indeed, this belief seems to fuel skepticism of quantum computing 
(see Goldreich |16| for example). But given an exponentially long advice string, even a classical computer 
could decide any language whatsoever. So one might imagine naively that quantum advice would let us solve 
problems that are not even recursively enumerable given classical advice of a similar size! The failure of 
this naive intuition supports the view that a quantum superposition over n-bit strings is "more similar" to a 
probability distribution over n-bit strings than to a 2"-bit string. 

■^One might object that the starting state is itself the outcome of some computational process, which began no earlier than 
the Big Bang. However, (1) for all we know highly entangled states were created in the Big Bang, and (2) 14 billion years is a 
long time. 

■^If we knew the input, we would simply request a starting state that contains the right answer! 

''BQP/qpoly might remind readers of a better-studied class called QMA (Quantum Merlin- Arthur). But there are two key 
differences: first, advice can be trusted while proofs cannot; second, proofs can be tailored to a particular input while advice 
cannot. 

^Here PP is Probabilistic Polynomial-Time, or the class of languages for which there exists a polynomial-time classical ran- 
domized algorithm that accepts with probability greater than 1/2 if and only if an input x is in the language. Also, given a 
complexity class C, the class C/poly consists of all languages decidable by a C machine, given a polynomial-size classical advice 
string that depends only on the input length. See www.complexityzoo.com for more information about standard complexity 
classes mentioned in this paper. 
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Our second contribution, in Sectional is an oracle relative to which NP is not contained in BQP/qpoly. 
Underlying this oracle separation is the first correct proof of a direct product theorem for quantum search. 
Given an A''-iteni database with K marked items, the direct product theorem says that if a quantum algorithm 



exponentially in K. Notice that such a result does not follow from any existing quantum lower bound. 
Earlier Klauck [20] had claimed a weaker direct product theorem, based on the hybrid method of Bennett et 
al. [7], in a paper on quantum time-space tradeoffs for sorting. Unfortunately, Klauck's proof is incorrect. 
Our proof uses the polynomial method of Beals et al. [S], with the novel twist that we examine all higher 
derivatives of a polynomial (not just the first derivative). Our proof has already been improved by Klauck, 
Spalek, and de Wolf [22 , who were able to recover and even extend Klauck's original claims about quantum 



Our final contribution, in Sectional is a new trace distance method for proving lower bounds on quantum 
one-way communication complexity. Previously there was only one basic lower bound technique: the VC- 
dimension method of Klauck '19', which relied on lower bounds for quantum random access codes due to 
Ambainis et al. |lj and Nayak Using VC-dimcnsion one can show, for example, that Q2 (DISJ) — fl (n), 

where the disjointness function DISJ : {0, 1}" x {0, 1}" {0, 1} is defined by DISJ {x,y) = 1 if and only if 
XiUi = for alH S {!,..., n}. 

For some problems, however, the VC-dimension method yields no nontrivial quantum lower bound. Seeking 
to make this point vividly, Ambainis posed the following problem. Alice is given two elements x,y of a, finite 
field ¥p (where p is prime); Bob is given another two elements a,b G ¥p. Bob's goal is to output 1 if 
y = ax + &(modp) and otherwise. For this problem, the VC-dimension method yields no randomized or 
quantum lower bound better than constant. On the other hand, the well-known fingerprinting protocol for 
the equality function |30j seems to fail for Ambainis' problem, because of the interplay between addition and 
multiplication. So it is natural to conjecture that the randomized and even quantum one-way complexities 
are O (logp) — that is, that no nontrivial protocol exists for this problem. 

Ambainis posed a second problem in the same spirit. Here Alice is given x € {!,..., N}, Bob is given 
y £ {!,..., N}, and both players know a subset S C {!,..., N}. Bob's goal is to decide whether x ~ y £ S 
where subtraction is modulo N. The conjecture is that if S is chosen uniformly at random with \S\ about 
^/N, then with high probability the randomized and quantum one-way complexities are both O (log ) . 

Using our trace distance method, we are able to show optimal quantum lower bounds for both of Ambainis' 
problems. Previously, no nontrivial lower bounds were known even for randomized protocols. The key idea is 
to consider two probability distributions over Alice's quantum message px- The first distribution corresponds 
to X chosen uniformly at random; the second corresponds to x chosen uniformly conditioned on / {x,y) — 1. 
These distributions give rise to two mixed states p and py, which Bob must be able to distinguish with 
non- negligible bias assuming he can evaluate f{x,y). We then show an upper bound on the trace distance 
11/9— Pj/lltj., which implies that Bob cannot distinguish the distributions. 

Theorem 1151 gives a very general condition under which our trace distance method works; Corollaries 1161 
and 1171 then show that the condition is satisfied for Ambainis' two problems. Besides showing a significant 
limitation of the VC-dimension method, we hope our new method is a non-negligible step towards proving 
that i?2 (/) — O (Q2 (/)) for all total Boolean functions /, where (/) is randomized one-way complexity. 

We conclude in Section |H1 with some open problems. 

2 Preliminaries 

This section reviews basic definitions and results about quantum one-way communication (in Section [2. 1|) and 
quantum advice (in Section 12. 2|) ; then Section 12.31 proves a quantum information lemma that will be used 
throughout the paper. 

2.1 Quantum One- Way Communication 

Following standard conventions, we denote by (/) the deterministic one-way complexity of /, or the mini- 
mum number of bits that Alice must send if her message is a function of x. Also, R2 (/), the bounded-error 
randomized one-way complexity, is the minimum k such that for every x, y, if Alice sends Bob a fc-bit message 
drawn from some distribution then Bob can output a bit a such that a — f {x, y) with probability at least 




queries, then the probability that the algorithm finds all K of the marked items decreases 



sorting. 
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2/3. (The subscript 2 means that the error is two-sided.) The zero-error randomized complexity (/) is 
similar, except that Bob's answer can never be wrong: he must output / {x,y) with probability at least 1/2 
and otherwise declare failure. 

The bounded-error quantum one-way complexity Q2 (/) is the minimum k such that, if Alice sends Bob a 
mixed state Px of k qubits, there exists a joint measurement of px and y enabling Bob to output an a such 
that a = f {x,y) with probability at least 2/3. The zero-error and exact complexities Qo (/) Qe if) 
defined analogously. Requiring Alice's message to be a pure state would increase these complexities by at 
most a factor of 2, since by Kraus' Theorem, every fc-qubit mixed state can be realized as half of a 2fc-qubit 
pure state. (Winter PEI has shown that this factor of 2 is tight.) See Klauck for more detailed definitions 
of quantum and classical one-way communication complexity measures. 

It is immediate that (f) > i?i (/) > i?i (/) > Q^(/), that i?J (/) > Q^f) > Q\{f), and that 
if) > Qe if)- Also, for total /, Duris et al. [12] showed that (/) = 6 (D^ (/)), while Klauck [HI 
showed that Q\; {f) — if) and that Qlif) = Q{D^{f)). In other words, randomized and quantum 
messages yield no improvement for total functions if we are unwilling to tolerate a bounded probability of 
error. This remains true even if Alice and Bob share arbitrarily many EPR pairs As is often the case, 

the situation is dramatically different for partial functions: there it is easy to see that Rq (/) can be constant 

even though (/) =n{n): let / (cc, y) = 1 if xiyi H 1- a;„/2y,i/2 > n/A and a;„/2+i2/,i/2+i H \- Xnyn = 

and / {x, y) = if xiyi H h a;„/2j/„/2 = and a:„/2+iy„/2+i H h x„y„ > n/4, promised that one of these 

is the case. 

Moreover, Bar-Yossef, Jayram, and Kerenidis [Hj have almost shown that (/) can be exponentially 
smaller than R^ (/). In particular, they proved that separation for a relation, meaning a problem for which 
Bob has many possible valid outputs. For a partial function / based on their relation, they also showed that 
Qe if) — Q i^ogn) whereas R^ (/) — Q (y/n); and they conjectured (but did not prove) that R^ (/) — Q {y/n). 



2.2 Quantum Advice 

Informally, BQP/qpoly is the class of languages decidable in polynomial time on a quantum computer, given 
a polynomial-size quantum advice state that depends only on the input length. We now make the definition 
more formal. 

Definition 1 A language L is in BQP/qpoly if there exists a polynomial- size quantum circuit family {C'„}„>]^, 
and a polynomial- size family of quantum states {|''/'n)}„>i; such that for all x € {0, 1}", 

(i) If X L then q (x) > 2/3, where q (x) is the probability that the first qubit is measured to be |1), after 
Cn is applied to the starting state |a;) (8) |0 • • • 0) ® iV'n)- 

(li) Ifx^L thenq{x) < 1/3.^ 

The central open question about BQP/qpoly is whether it equals BQP/poly, or BQP with polynomial- 
size classical advice. We do have a candidate for an oracle problem separating the two classes: the group 
membership problem of Watrous [33], which we describe for completeness. Let G„ be a black box group^ 
whose elements are uniquely labeled by n-bit strings, and let Hn be a subgroup of G„. Both G„ and iJ„ 
depend only on the input length n, so we can assume that a nonuniform algorithm knows generating sets for 
both of them. Given an element x € Gn as input, the problem is to decide whether x € Hn- 

If Gn is "sufficiently nonabelian" and Hn is exponentially large, we do not know how to solve this problem 
in BQP or even BQP/poly. On the other hand, we can solve it in BQP/qpoly as follows. Let our quantum 
advice state be an equal superposition over all elements of Hn'. 

\Hn) = ^ E 12^) 



^If the starting state is |x) Cgi |0 ■ ■ ■ 0) I'/') for some 7^ lipn), then we do not require the acceptance probabiUty to lie in 
[0,1/3] U [2/3,1]. Therefore, what we call BQP/qpoly corresponds to what Nishimura and Yamakami 1291 call BQP/*Qpoly. 
Also, it does not matter whether the circuit family {C„}^j.j is uniform, since we are giving it advice anyway. 

^In other words, we have a quantum oracle available that given x,y a Gn outputs xy (i.e. exclusive-OR's xy into an answer 
register), and that given x G Gn outputs x~^ . 
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We can transform into 

\xHn) = — , > \xy) 

by mapping \y) |0) to \y) \xy) to \y ® x~^xy) \xy) = |0) \xy) for each ?/ e iJ„. Our algorithm wiU first prepare 
the state (|0) + |1) \xHn)) /\/2, then apply a Hadamard gate to the first qubit, and finally measure the 
first qubit in the standard basis, in order to distinguish the cases \Hn) = \xHn) and {Hn\xHn) = with 
constant bias. The first case occurs whenever x G Hn, and the second occurs whenever x ^ ff„. 

Although the group membership problem provides intriguing evidence for the power of quantum advice, 
we have no idea how to show that it is not also solvable using classical advice. Indeed, apart from a result 
of Nishimura and Yamakami [221 that EESPACE BQP/qpoly, essentially nothing was known about the class 
BQP/qpoly before the present work. 

2.3 The Almost As Good As New Lemma 

The following simple lemma, which was implicit in |[4j, is used three times in this paper — in Theorems El El 
and 1141 It says that, if the outcome of measuring a quantum state p could be predicted with near-certainty 
given knowledge of p, then measuring p will damage it only slightly. Recall that the trace distance ||p — it||^j. 
between two mixed states p and <t equals ^ J2i I'^ili where Ai, . . . , A^v are the eigenvalues of p — cr. 

Lemma 2 Suppose a 2-outcome measurement of a mixed state p yields outcome with probability 1 — e. 
Then after the measurement, we can recover a state p such that < \/s. This is true even if the 

measurement is a POVM (that is, involves arbitrarily many ancilla qubits). 

Proof. Let be a purification of the entire system (p plus ancilla). We can represent any measurement 
as a unitary U applied to |^), followed by a 1-qubit measurement. Let |(/3o) and be the two possible pure 
states after the measurement; then {lpq\ipi) — and U \^-)) — a |(/3o) +/9 for some a, /? such that \a\^ — 1 — e 
and = e. Writing the measurement result as tr = (1 — e) \lpo) {(po\ + e \(pi) {(pi\, it is easy to show that 

So applying U^^ to a, 

Let p be the restriction of U~^aU to the original qubits of p. Theorem 9.2 of Nielsen and Chuang |27] shows 
that tracing out a subsystem never increases trace distance, so ||p — p||^j. < e [1 ~ e) < yje. ■ 

3 Simulating Quantum Messages 

Let / : {0, 1}" X {0, 1}™ {0, 1} be a Boolean function. In this section we first combine existing results 
to obtain the relation (/) = O {mQ\ (/)) for total /, and then prove using a new method that (/) = 
O {mQ\ if) logQl (/)) for aU / (partial or total). 

Define the communication matrix Mf to be a 2" x 2™ matrix with / {x, y) in the x*"^ row and y*'' column. 
Then letting rows (/) be the number of distinct rows in M/, the following is immediate. 

Proposition 3 For total f, 

^'(/) = riog2rows(/)l, 
gi (/) = r! (log log rows (/)). 

Also, let the VC-dimension VC (/) equal the maximum k for which there exists a 2" x fc submatrix Mg 
of Mf with rows (g) — 2'^. Then Klauck jj^ observed the following, based on a lower bound for quantum 
random access codes due to Nayak 

Proposition 4 (Klauck) Ql (/) = Q (VC (/)) for total f. 
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Now let cols (/) be the number of distinct columns in Mf. Then Proposition0]yields the following general 
lower bound: 



Corollary 5 (/) = O (mQl (/)) for total f, where m is the size of Bob 's input. 
Proof. It follows from a lemma of Sauer that 

VC(/) , . 
rows(/)< ("''f^)<cols(fr^f^^^ 

Hence VC (/) > logcois(/) rows (/) - 1, so 

'log rows (/) 



Ql if)^n{YC{f))^n(^ 



log cols (/) 



In particular, (/) and Ql (/) are polynomially related for total /, whenever Bob's input is polynomially 

smaller than Alice's, and Alice's input is not "padded." More formally, (/) = O (^Q2 if)^^^^~'^^^ whenever 

m = O {rf) for some c < 1 and rows (/) = 2" (i.e. all rows of Mf are distinct). For then (/) = n by 
PropositionEl and Q\ (/) = VL {D^ (/) /n'') = n (n^-^) by CorollaryEl 

We now give a new method for replacing quantum messages by classical ones when Bob's input is small. 
Although the best bound we know how to obtain with this method — (/) = O {mQ2 (/)logQ2 (/)) — 
slightly weaker than the (/) = O {mQ\ (/)) of CorollaryEl our method works for partial Boolean functions 
as well as total ones. It also yields a (relatively) efficient procedure by which Bob can reconstruct Alice's 
quantum message, a fact we will exploit in Section [3.11 to show BQP/qpoly C PP/poly. By contrast, the 
method based on Sauer's Lemma seems to be nonconstructive. 

Theorem 6 (/) = O {mQ\ (/) logQ^ (/)) for all f (partial or total). 

Proof. Let / : I? ^ {0, 1} be a partial Boolean function with V C {0, 1}" x {0, 1}™, and for all x S {0, 1}", 
let Vx — {y ^ {0, 1}™ : (a;, y) G V}. Suppose Alice can send Bob a quantum state with Ql (/) qubits, that 
enables him to compute / {x, y) for any y e Dx with error probability at most 1/3. Then she can also send 
him a boosted state p with K = O {Q\ (/) logQ2 (/)) qubits, such that for all y G V^, 

\Py{p)^f{x,y)\<-^, 

where Py(p) is the probability that some measurement K[y] yields a '1' outcome when apphed to p. We 
can assume for simplicity that p is a pure state (V'l; as discussed in Section ITTl this increases the message 
length by at most a factor of 2. 

Let y be any subset of satisfying |3^| < Q\ (/)^. Then starting with p, Bob can measure A [y] for 
each y Gy va. lexicographic order, reusing the same message state again and again but uncomputing whatever 
garbage he generates while measuring. Let pt be the state after the t*-^ measurement; thus po = p — (V'l- 
Since the probability that Bob outputs the wrong value of / {x, y) on any given y is at most 1/Ql (Z)^*^, Lemma 
13 implies that 



||Pt -Pt-llltr < 



1 1 



Since trace distance satisfies the triangle inequality, this in turn implies that 

t 1 



IIP* - Plltr < TTTTTTs < 



Qliff ~ QlUf 
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Now imagine an "ideal scenario" in which pt = p for every t\ that is, the measurements do not damage p at 
all. Then the maximum bias with which Bob could distinguish the actual from the ideal scenario is 



/9o«)---OP|3;|-i-p®'^' 



\y\ 1 



So by the union bound, Bob will output / (x, y) for every y &y simultaneously with probability at least 

1_ ^>09 

QlUf' Qlif)- 

for sufficiently large Q\ (/). 

Now imagine that the communication channel is blocked, so Bob has to guess what message Alice wants 
to send him. He does this by using the if-qubit maximally mixed state I in place of p. We can write / as 

1 

where , . . . , |V'2^^) &re orthonormal vectors such that = \tp). So if Bob uses the same procedure as 
above except with / instead of p, then for any y C T>x with |3^| < Ql (/) , he will output f {x,y) for every 
y G y simultaneously with probability at least 0.9/2^. 

We now give the classical simulation of the quantum protocol. Alice's message to Bob consists oiT < K 
inputs yi,...,yT G V^, together with / (x, j/i) ,...,/ (a;, y^)-* Thus the message length is mT + T = 
O [mQl (/) logQl (/))• Here are the semantics of Alice's message: "Bob, suppose you looped over all y gT>x 
in lexicographic order; and for each one, guessed that f (.x, y) = round {Py (/)),, where roimd {p) is 1 if p > 1/2 
and if p < 1/2. Then y\ is the first y for which you would guess the wrong value of f {x,y). In general, 
let It be the state obtained by starting from I and then measuring A [yi] ,A[yt] in that order, given 
that the outcomes of the measurements are f {x,yi) , . . . , f {x,yt) respectively. (Note that It is not changed 
by measurements of every y G up to yt, only by measurements of yi, . . . ,yt-) If you looped over all 
y G Vx in lexicographic order beginning from yt, then yt+i is the first y you would encounter for which 
round{Py{It))^ f{x,y)." 

Given the sequence of j/t's as defined above, it is obvious that Bob can compute f {x,y) for any y £ V^. 
First, if y = yt for some t, then he simply outputs f{x,yt). Otherwise, let t* be the largest t for which 
yt < y lexicographically. Then Bob prepares a classical description of the state It* which he can do since 
he knows y\,...,yt* and / (x, t/i) ,...,/ (x, yt* ) — and then outputs round [Py {If )) as his claimed value of 
f{x,y). Notice that, although Alice uses her knowledge of to prepare her message. Bob does not need 
to know T>x in order to interpret the message. That is why the simulation works for partial as well as total 
functions. 

But why we can assume that the sequence of t/t's stops at yr for some T < Kl Suppose T > K; we 
will derive a contradiction. Let y = {j/i, . . . , y^+i}. Then |3^| = K + 1 < Q\{f)^, so we know from 
previous reasoning that if Bob starts with / and then measures A [yi] , . . . , A [y/f+i] in that order, he will 
observe / (a;, yi) ,...,/ (x, yK+i) simultaneously with probability at least 0.9/2^. But by the definition of 
yt, the probability that A [yi] yields the correct outcome is at most 1/2, conditioned on A [yi] , . . . , A [j/t-i] 
having yielded the correct outcomes. Therefore / {x, y\) ,...,/ (x, yx+i) are observed simultaneously with 
probability at most 1/2^+^ < 0.9/2^, contradiction. ■ 

3.1 Simulating Quantum Advice 

We now apply our new simulation method to upper-bound the power of quantum advice. 

Theorem 7 BQP/qpoly C PP/poly. 

^Strictly speaJjing, Bob will be able to compute / (x, j/i) ,...,/ (a;, yx) for himself given yi, ■ ■ ■ ,yT\ he does not need Alice to 
tell him the / values. 
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Proof. For notational convenience, let L„ {x) = 1 if input x S {0, 1}" is in language L, and L„ (a:;) = 
otherwise. Suppose L„ is computed by a BQP machine using quantum advice of length p{n). We will give 
a PP machine that computes L„ using classical advice of length O {np {n) log p (n)). Because of the close 
connection between advice and one-way communication, the simulation method will be essentially identical to 
that of Theorem 

By using a boosted advice state on K = O {p (n) logp (n)) qubits, a polynomial-time quantum algorithm 
A can compute L„ (x) with error probability at most 1/p (n)^^ . Now the classical advice to the PP machine 
consists oi T < K inputs xi, . . . , € {0, 1}", together with L„ (xi) , . . . ,Ln {xt)- Let / be the maximally 
mixed state on K qubits. Also, let Px (p) be the probability that A outputs '1' on input x, given p as its 
advice state. Then xi is the lexicographically first input x for which round (Pj; (/)) ^ L„ {x). In general, 
let It be the state obtained by starting with / as the advice and then running A oti xi, . . . ^xt in that order 
(uncomputing garbage along the way), if we postselect on A correctly outputting L„ [xi) , . . . , Ln{xt)- Then 
Xt+i is the lexicographically first x > Xt for which round (P^, {It)) 7^ Ln {x). 

Given the classical advice, we can compute L„ (x) as follows: if a:; S {xi, . . . ,xt} then output L„ [xt). 
Otherwise let t* be the largest t for which Xt < x lexicographically, and output round (P^^ {If))- The proof 
that this algorithm works is the same as in Theorem El and so is omitted for brevity. All we need to show is 
that the algorithm can be implemented in PP. 

Adleman, DeMarrais, and Huang |3] (see also Fortnow and Rogers showed that BQP C PP, by using 
what physicists would call a "Feynman sum-over-histories." Specifically, let C be a polynomial-size quantum 
circuit that starts in the all-0 state, and that consists solely of Toffoli and Hadamard gates (Shi |25 has shown 
that this gate set is universal). Also, let az be the amplitude of basis state \z) after all gates in C have been 
applied. We can write az as a sum of exponentially many contributions, ai + • • • + oat, where each ai is a 
rational real number computable in classical polynomial time. So by evaluating the sum 



N 



putting positive and negative terms on "opposite sides of the ledger," a PP machine can check whether 
\ctz\^ > P for any rational constant [}. It follows that a PP machine can also check whether 



: z : So(z) 



|2 



(or equivalently, whether Pr [5*1] > Pr [S'o]) for any classical polynomial-time predicates 5*1 and 5*0. 

Now suppose the circuit C does the following, in the case x ^ {xi, . . . , xt}. It first prepares the i^-qubit 
maximally mixed state / (as half of a 2K-q\xhit pure state), and then runs A on xi, . . . , Xf , x in that order, 
using / as its advice state. The claimed values of L„ (xi) , . . . , L„ {xf ) , L„ (x) are written to output registers 
but not measured. For i G {0, 1}, let the predicate Si {z) hold if and only if basis state \z) contains the output 
sequence (xi) , . . . ,Ln (xf ) , i. Then it is not hard to see that 



Pr [^i] + Pr [5o] 



so Pr (/f) > 1/2 and hence i„ (x) = 1 if and only if Pr [Si\ > Pr [Sq]- Since the case x G {xi, . . . , xt} is 
trivial, this shows that L„ (x) is computable in PP/poly. ■ 

We make five remarks about Theorem [T] First, for the same reason that Theorem works for partial 
as well as total functions, we actually obtain the stronger result that PromiseBQP/qpoly C PromisePP/poly, 
where PromiseBQP and PromisePP are the promise-problem versions of BQP and PP respectively. 

Second, as pointed out to us by Lance Fortnow, a corollary of Theorem [3 is that we cannot hope to show 
an unrelativized separation between BQP/poly and BQP/qpoly, without also showing that PP does not have 
polynomial-size circuits. For BQP/poly 7^ BQP/qpoly clearly implies that P/poly ^ PP/poly. But the latter 
then implies that PP (t P/poly, since assuming PP C P/poly we could also obtain polynomial-size circuits for 
a language L e PP/poly by defining a new language L' E PP, consisting of all (x, a) pairs such that the PP 
machine would accept x given advice string a. The reason this works is that PP is a syntactically defined 
class. 
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Third, an earlier version of this paper showed that BQP/qpoly C EXP/poly, by using a simulation in which 
an EXP machine keeps track of a subspace H of the advice Hilbert space to which the 'true' advice state must 
be close. In that simulation, the classical advice specifies inputs xi, . . . , for which dim (H) is at least halved; 
the observation that dim (iJ) must be at least 1 by the end then imphes that T < K = O (p (n) logp (n)), 
meaning that the advice is of polynomial size. The huge improvement from EXP to PP came solely from 
working with measurement outcomes and their probabilities instead of with subspaces and their dimensions. 
We can compute the former using the same "Feynman sum-over-histories" that Adleman et al. |3] used to 
show BQP C PP, but could not see any way to compute the latter without explicitly storing and diagonalizing 
exponentially large matrices. 

Fourth, assuming BQP/poly ^ BQP/qpoly, Theorem[7|is almost the best result of its kind that one could 
hope for, since the only classes known to lie between BQP and PP and not known to equal either are obscure 
ones such as AWPP 15 . Initially the theorem seemed to us to prove something stronger, namely that 
BQP/qpoly C PostBQP/poly. Here PostBQP is the class of languages decidable by polynomial-size quantum 
circuits with postselection — meaning the ability to measure a qubit that has a nonzero probability of being 
|1), and then assume that the measurement outcome will be |1). Clearly PostBQP lies somewhere between 
BQP and PP; one can think of it as a quantum analogue of the classical complexity class BPPpath E|- We 
have since shown, however, that PostBQP = PP 01. 

Fifth, it is clear that Adleman et al.'s BQP C PP result ,3 can be extended to show that PQP = PP. 
Here PQP is the quantum analogue of PP — that is, quantum polynomial time but where the probability of a 
correct answer need only be bounded above 1/2, rather than above 2/3. A reviewer asked whether Theorem 
|7|could similarly be extended to show that PQP/qpoly = PP/poly. The answer is no — for indeed, PQP/qpoly 
contains every language whatsoever! To see this, given any function L„ : {0, 1} —>■ {0, 1}, let our quantum 
advice state be 

1^-) = ^ E l^)l^n(^))- 

£ce{o,i}" 

Then a PQP algorithm to compute L„ is as follows: given an input x € {0,1}", first measure \4'n) in the 
standard basis. If |a;) |i„ (x)) is observed, output i„ (x); otherwise output a uniform random bit. 

4 Oracle Limitations 

Can quantum computers solve NP-complete problems in polynomial time? In the early days of quantum 
computing, Bennett et al. [7j gave an oracle relative to which NP BQP, providing what is still the best 
evidence we have that the answer is no. It is easy to extend Bennett et al.'s result to give an oracle relative 
to which NP ^ BQP/poly; that is, NP is hard even for nonuniform quantum algorithms. But when we try to 
show NP BQP/qpoly relative to an oracle, a new difficulty arises: even if the oracle encodes 2" exponentially 
hard search problems for each input length n, the quantum advice, being an "exponentially large object" itself, 
might somehow encode information about all 2" problems. We need to argue that even if so, only a miniscule 
fraction of that information can be extracted by measuring the advice. 

How does one prove such a statement? As it turns out, the task can be reduced to proving a direct product 
theorem for quantum search. This is a theorem that in its weakest form says the following: given N items, K 
of which are marked, if we lack enough time to find even one marked item, then the probability of finding all 
K items decreases exponentially in K. For intuitively, suppose there were a quantum advice state that let us 
efficiently find any one of K marked items. Then by "guessing" the advice (i.e. replacing it by a maximally 
mixed state), and then using the guessed advice multiple times, we could efficiently find all K of the items 
with a success probability that our direct product theorem shows is impossible. This reduction is formalized 
in Theorem 1141 

But what about the direct product theorem itself? It seems like it should be trivial to prove — for surely 
there are no devious correlations by which success in finding one marked item leads to success in finding all 
the others! So it is surprising that even a weak direct product theorem eluded proof for years. In 2001, 
Klauck ,2D' gave an attempted proof using the hybrid method of Bennett et al. |7j. His motivation was to 
show a limitation of space-bounded quantum sorting algorithms. Unfortunately, Klauck's proof is fallacious.^ 

^Specifically, the last sentence in the proof of Lemma 5 in I2UI ("Clearly this probability is at least (px — Cf)") is not justified 
by what precedes it. 
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In this section we give the first correct proof of a direct product theorem, based on the polynomial method 
of Beals et al. Besides showing that NP ^ BQP/qpoly relative to an oracle, our result can be used to 

recover the conclusions in [201 about the hardness of quantum sorting (see Klauck, Spalek, and de Wolf [21] 
for details). We expect the result to have other applications as well. 

We will need the following lemma of Beals et al. which builds on ideas due to Minsky and Papert pS] 
and Nisan and Szegedy |2H1- 

Lemma 8 (Beals et al.) Suppose a quantum algorithm makes T queries to an oracle string X G {0,1}^, 
and accepts with probability A {X). Then there exists a real polynomial p, of degree at most 2T, such that 

p{i)^EX [AiX)] 

\X \—i 

for all integers i € {0, . . . , N}, where \X\ denotes the Hamming weight of X . 

Lemma |S1 implies that, to lower-bound the number of queries T made by a quantum algorithm, it suffices to 
lower-bound deg (p), where p is a real polynomial representing the algorithm's expected acceptance probability. 
As an example, any quantum algorithm that computes the OR function on N bits, with success probability 
at least 2/3, yields a polynomial p such that p (0) £ [0, 1/3] and p (i) e [2/3, 1] for all integers i £ {1, . . . , N}. 
To lower-bound the degree of such a polynomial, one can use an inequality proved by A. A. Markov in 1890 
see also PT]1: 

Theorem 9 (A. A. Markov) Given a real polynomial p and constant N > 0, let r^^^ = max^^^Q j^] \p{^)\ 
and r'"'"-' = max^gp^Arj \p' {x)\. Then 

deg (p) > 



2r(o) 



Theorem El deals with the entire range [0, N], whereas in our setting p (x) is constrained only at the integer 
points X E {0, . . . , N}. But as shown in |14[ 1281 132| . this is not a problem. For by elementary calculus, 
p(0) < 1/3 and p{l) > 2/3 imply that p' (x) > 1/3 for some real x £ [0,1], and therefore r^^'^ > 1/3. 
Furthermore, let x* be a point in [0, N] where \p (x*)| = r^°\ Then p ([a;*J ) G [0, 1] and p{\x*~\) G [0, 1] imply 
that > 2 (r^") - l). Thus 



, iNrW /iVmax{l/3,2(r(0) -l)} ^ / r- 

This is the proof of Beals et al. 'B that quantum search requires (^VN^ queries. 

When proving a direct product theorem, we can no longer apply Theorem so straightforwardly. The 
reason is that the success probabilities in question are extremely small, and therefore the maximum derivative 
r^^^ could also be extremely small. Fortunately, though, we can still prove a good lower bound on the degree 
of the relevant polynomial p. The key is to look not just at the first derivative of p, but at higher derivatives. 

To start, we need a lemma about the behavior of functions under repeated differentiation. 

Lemma 10 Let f : M M be an infinitely differ entiable function such that for some positive integer K , we 
have f (i) ^ for all i £ {0, . . . , A' - 1} and f (AT) = (5 > 0. Also, let r'™' = max^-gfo.w] j./''"'' where 
/(™) (x) is the m*^ derivative of f evaluated at x (thus f^^^ — f )■ Then r*^™' > 6 /m\ for all m G {0, . . . , K}. 

Proof. We claim, by induction on to, that there exist A" — m-|- 1 points < Xq™'' < • • • < a;^^ < AT such 
that (2^1™^) = for all i < AT — to— 1 and {f^K^l„i^ ^ 6/m\. If we define a;-°^ = i, then the base case 
m = is immediate from the conditions of the lemma. Suppose the claim is true for to; then by elementary 
calculus, for alH < AT — TO — 2 there exists a point a;-™"*"^^ € ^^ch that (^xf"~^^^^ = 0. 
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Notice that x\"^^^^ > a;-™^ > • • • > x[^^ = i. So there is also a point x^j^_^^^_^ € ^a;^^_;^, a;^,„j such that 

fini) ( {m) \ _ r(ra) ( 



5lm\ - 
- K -{K -m-l) 
S 



(m+ 1)!' 



With the help of Lemma llUI we can sometimes lower-bound the degree of a real polynomial even its first 
derivative is small throughout the region of interest. To do so, we use the following generalization of A. A. 
Markov's inequality (Theorem|51), which was proved by A. A. Markov's younger brother V. A. Markov in 1892 
(1211; see also EH). 

Theorem 11 (V. A. Markov) Given a real polynomial p of degree d and positive real number N , letr^"^'^ = 
maXj.g[Qjv] Ip^™) (a^)|- Then for all m G {1, . . . ,d}, 



r^") < ] ri") (1) 



< , 

- y N J 1-3-5 (2m - 1) 

Here Td (x) = cos (darccosa;) is the d*^ Chebyshev polynomial of the first kind. 

As we demonstrate below, combining Theorem II II with Lemma llOl vields a lower bound on deg(p). 
Lemma 12 Let p be a real polynomial such that 

(i) p (x) G [0, 1] at all integer points x G {0, . . . , N}, and 

(ii) for some positive integer K < N and real S > 0, we have p{K) — 5 and p(i) — for all i G 
{0,...,if-l}. 



Then deg (p) = il I^VnW^ ^ 
Proof. Let and r(™' be as in Theorem II II Then for all m G {1, . . . , deg (p)}, Theorem ll II vields 



\2m 



Rearranging, 



„(.n)^/^2r(")\"- deg(p)- 

N J 1-3-5 (2to-1) 



deg ip) > y^(l-3-5 (2™-l).rM)'/'" 



for all m > 1 (if in > deg (p) then r^™' = so the bound is trivial). 

There are now two cases. First suppose r*^*'^ > 2. Then as discussed previously, condition (i) implies that 
^(1) > 2 (r^") - 1), and hence that 



/Arr(i) /iV(r(") - l) / ^\ 



by Theorem^ Next suppose r^^') < 2. Then r*^™^ > 6/ml for all m < if by Lemma [TUl So setting m — K 
yields 



cieg(p)> W- (1.3.5 (2K-1)-^] =n{VNS^ 



11 



Either way we are done. ■ 

Strictly speaking, we do not need the full strength of Theorem ^2 to prove a lower bound on deg (p) that 
suffices for an oracle separation between NP and BQP/qpoly. For we can show a "rough-and-ready" version 
of V. A. Markov's inequality by applying A. A. Markov's inequality (Theorem O repeatedly, to p,p^'^\p'^^\ 
and so on. This yields 

r^™^ < ^ deg {pf < (- deg {pf\ r(°) 

for all m. If deg (p) is small, then this upper bound on r'-'"-' contradicts the lower bound of Lemma IIUI 
However, the lower bound on deg (p) that one gets from A. A. Markov's inequality is only Q (^-s/ N 6^ / ^ / , 

as opposed to VL NS^/^"^^ from Lemma [T^^° 

Shortly after seeing our proof of a weak direct product theorem, Klauck, Spalek, and de Wolf |23 managed 
to improve the lower bound on deg {p) to the essentially tight Vl NK5^/^^ . In particular, their bound 

implies that 5 decreases exponentially in K whenever deg {p) = o ^\/ NK^ . They obtained this improvement 
by factoring p instead of differentiating it as in Lemma [TUl 

In any case, a direct product theorem follows trivially from what has already been said. 

Theorem 13 (Direct Product Theorem) Suppose a quantum algorithm makes T queries to an oracle 
string X £ {0, 1} . Let S be the minimum probability, over all X with Hamming weight \X\ ~ K , that the 
algorithm finds all K of the '1 ' bits. Then 6 < (^cT'^ /N^ for some constant c. 

Proof. Have the algorithm accept if it finds K or more '1' bits and reject otherwise. Let p{i) be the 
expected probability of acceptance if X is drawn uniformly at random subject to \X\ = i. Then we know the 
following about p: 

(i) p (?) € [0, 1] at all integer points i e {0, . . . , N}, since p (i) is a probability. 

(ii) p{i) ~ for all i e {0, . . . ,K — 1}, since there are not K marked items to be found, 
(in) p (K) > S. 

Furthermore, Lemma |H1 implies that p is a polynomial in i satisfying deg (p) < 2T . It follows from Lemma 
mthat T = Q. [ym^^ , or rearranging, that 5 < {cT^/N)^. ■ 

We can now prove the desired oracle separation using standard complexity theory tricks. 

Theorem 14 There exists an oracle relative to which NP ^ BQP/qpoly. 

Proof. Given an oracle A : {0, 1}* {0, 1}, define the language La by {y, z) £ La if and only if y < z 
lexicographically and there exists an x such that y < x < z and A{x) = 1. Clearly La G NP'^ for all A. We 
argue that for some A, no BQP/qpoly machine M with oracle access to A can decide La- Without loss of 
generality we assume M is fixed, so that only the advice states {|V'n)}„>i depend on A. We also assume the 

advice is boosted, so that M's error probability on any input (y, z) is 2 

Choose a set S' C {0, 1}" subject to \S\ = 2"/^"; then for aU x € {0, 1}", set A{x) = 1 if and only if a; e 5'. 
We claim that by using M, an algorithm could find all 2"/^" elements of 5* with high probability after only 
2"/^" poly (n) queries to A. Here is how: first use binary search (repeatedly halving the distance between y 
and z) to find the lexicographically first element of S. By Lemma|3 the boosted advice state \ipn) is good for 

uses, so this takes only poly (n) queries. Then use binary search to find the lexicographically second 
element, and so on until all elements have been found. 

Now replace jV'n) by the maximally mixed state as in Theorem El This yields an algorithm that uses no 
advice, makes 2"/^° poly (n) queries, and finds all 2"/^° elements of S with probability 2~'^(P°'y(")). But taking 

-"^"An earlier version of this paper claimed to prove deg (p) = Q (^\/NK/ log^^^ (l/<5)^ , by applying Bernstein's inequality 

rather than A. A. Markov's to all derivatives p'™'. We have since discovered a flaw in that argument. In any case, the Bernstein 
lower bound is both unnecessary for an oracle separation, and superseded by the later results of Klauck et al. 1211 . 
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g ^ 2-0{poiy{n)) ^ rj. ^ 2"/io poly (n), N = 2", and K = 2"/i°, such an algorithm would satisfy 5 > {cT^/N) , 
which violates the bound of Theorem ^1 ■ 

Indeed one can show that NP ^ BQP/qpoly relative a random oracle with probability 1.^^ 



5 The Trace Distance Method 

This section introduces a new method for proving lower bounds on quantum one-way communication com- 
plexity. Unlike in Section |31 here we do not try to simulate quantum protocols using classical ones. Instead 
we prove lower bounds for quantum protocols directly, by reasoning about the trace distance between two 
possible distributions over Alice's quantum message (that is, between two mixed states). The result is a 
method that works even if Alice's and Bob's inputs are the same size. 

We first state our method as a general theorem; then, in Section 15.11 we apply the theorem to prove 
lower bounds for two problems of Ambainis. Let — £\\ denote the variation distance between probability 
distributions T) and £ . 



Theorem 15 Let f : {0, 1}" x {0, 1}™ {0, 1} be a total Boolean function. For each y £ {0, 1}™, let Ay be 
a distribution over x G {0, 1}" such that f {x,y) — 1. Let B be a distribution over y £ {0, 1}™, and let 'Dk 
be the distribution over ({0, 1}")'^ formed by first choosing y £ B and then choosing k samples independently 
from Ay. Suppose that Pix£Vi,yeB [/ {x, y) = 0] — ft (1) and that ||l?2 ~ || ^ Then Q\ (/) — Vl (log 1/(5). 

Proof. Suppose that if Alice's input is x, then she sends Bob the /-qubit mixed state p^. Suppose also 
that for every x £ {0,1}" and y £ {0,1}"', Bob outputs f {x,y) with probability at least 2/3. Then by 
amplifying a constant number of times, Bob's success probability can be made 1 — e for any constant £ > 0. 
So with L = O (I) qubits of communication. Bob can distinguish the following two cases with constant bias: 

Case I. y was drawn from B and x from Vi . 

Case II. y was drawn from B and x from Ay. 

For in Case I, we assumed that f{x,y) = with constant probability, whereas in Case II, f {x,y) = 1 
always. An equivalent way to say this is that with constant probability over y, Bob can distinguish the mixed 
states p — EXxeVi [px] and py — EXxeAy [px] with constant bias. Therefore 

EX[||p-p,||J =f^(l). 

yeB 

We need an upper bound on the trace distance ||p — Pj,||^j. that is more amenable to analysis. Let Ai, . . . , 
be the eigenvalues oi p — py. Then 



1 ' 



4=1 



1 

< - 

- 2 



2i 



2^Ea: 

2^/2-1 



where (p)ij is the {i,j) entry of p. Here the second line uses the Cauchy-Schwarz inequality, and the third 
line uses the unitary invariance of the Frobenius norm. 
We claim that 

2^ 



EX 



< 25. 



^^First group the oracle bits into polynomial-size blocks as Bennett and Gill 9 do, then use the techniques of Aaronson to 
show that the acceptance probability is a low-degree univariate polynomial in the number of all-0 blocks. The rest of the proof 
follows Theorem 1141 
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From this claim it follows that 



EX \\\p- pJl ] < 2^/2-^ EX 




\ 



EX 

yes 



J2 " '-Pvh. 



Therefore the message length L must be 57 (log 1/6) to ensure that EXj^ge [\\p ~ PyWn] ~ ^ (1) 
Let us now prove the claim. We have 



EX 

yes 



J2 \^P^^j " ^Pv 



2^ 



E (I -2Re((p);-Ex[(p,), 



EX 

yes 



iPv) 



V EX 

^ \ yes 



(Py) 



y^ij 



since EXj^eB (py) For a given (i, j) pair, 



EX 

yes 



(Py)» 



EX 

yes 



EX 



- EX (p,),^. 

■'J xGl?! L 

(Px)y- (P^)yj - ^EX ^ [(f'^)y- (P^)tj 

= ^(Pr[x,z]-Pr[x,z]) (p.);. (p.),^. . 



EX 



Now for all x,z, 



Hence 



< 1. 



E ( ^] - li ^] ) E (^-)*. (p^^^J ^ E ( g,^ ^] - ^] 

x,z ^ ^ ^ — \ x,z ^ ^ 

= 2\\V2-Vl\\ 
< 2(5, 

and we are done. ■ 

The difficulty in extending Theorem 1151 to partial functions is that the distribution Vi might not make 
sense, since it might assign a nonzero probability to some x for which / (x, y) is undefined. 



5.1 Applications 

In this subsection we apply Theorem E| to prove lower bounds for two problems of Ambainis. To facilitate 
further research and to investigate the scope of our method, we state the problems in a more general way 
than Ambainis did. Given a group G, the coset problem Coset (G) is defined as follows. Alice is given a 
left coset C of a subgroup in G, and Bob is given an element y E G. Bob must output 1 if y e G and 
otherwise. By restricting the group G, we obtain many interesting and natural problems. For example, 
if p is prime then Coset (Zp) is just the equality problem, so the protocol of Rabin and Yao PHI yields 
Ql (Coset (Zp)) = e (log log p). 
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Theorem 16 (Coset (Z^)) 9 (logp). 



Proof. The upper bound is obvious. For the lower bound, it suffices to consider a function fp defined as 
follows. Alice is given {x,y) E and Bob is given {a,b) E F^; then 

r 1 iiy = ax + b (modp) 
jp[x,y,a,0) - <^ Q otherwise. 

Let B be the uniform distribution over (a, b) E F^, and let Aa,b be the uniform distribution over (x, y) such 
that y = ax + b (modp). Thus Di is the uniform distribution over (x, y) G F^; note that 



Pr 

{x,y)eT>u{a,b)eB 



[fp {x,y,a,b) = 0] = 1 . 



But what about the distribution I?2, which is formed by first drawing (a, 6) E B, and then drawing {x,y) 
and {z,w) independently from Aa,b'^ Given a pair {x,y) , {z,w) E Fp, there are three cases regarding the 
probability of its being drawn from 'D2'. 



(1) {x,y) — {z,w) [p^ pairs). In this case 



Pr , (z,u;)] = ^ Pr [(a, 5)] Pr [(x, y) , (z, 

{a.b)&l 



(a, 6)] 



1 1 



1 



(2) X ^ z {p^ — pairs). In this case there exists a unique (a*, b*) such that y = a*x + b* (modp) and 
w = a*z + b* (modp), so 

PY[(x,y) ,{z,w)]=PY[{a*,b*)]PY[{x,y) ,{z,w) \ {a*,b*}] 

1 11 

pZ pi 

(3) X — z but y ^ w (p^ — p^ pairs). In this case Prp^ [{x, y) , (z, w)] = 0. 
Putting it all together, 



Wo - vi 



1 
2 

1 1 

p p^ 



+ {p'~p') 



So taking 5 = l/p- l/p^^ we have Ql (Coset (Z^)) = (log (1/(5)) = n{\ogp) by Theorem [T^ ■ 

We now consider Ambainis' second problem. Given a group G and nonempty set S <Z G with jS"! < jCj /2, 

the subset problem Subset (G, S") is defined as follows. Alice is given x E G and Bob is given y E G; then Bob 

must output 1 if xy E S and otherwise. 

Let A4 be the distribution over st^^ E G formed by drawing s and t uniformly and independently from S. 

Then let A = ||A^ — where T>i is the uniform distribution over G. 

Proposition 17 For all G,S such that \S\ < \G\ /2, 

Ql (Subset (G, S)) = n (log 1/A) . 

Proof. Let B be the uniform distribution over y E G, and let Ay be the uniform distribution over x such 
that xy E S. Thus I?i is the uniform distribution over x E G; note that 
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We have 



\Vn-n 



211 _ 1 

ill - o 2^ 



\{y € G,s,t € S : xy = s, zy = t}\ 



IE 



\G\\Sf 

\{s,t e S : xz-'^ = st-'^}\ 1 



|G|^ 



= -y 

2 ^ 

= ||M - Pi 
= A. 



i^r 

{s,t e 5 : a; = si-^}| 1 

W\ 



\G[ 



1^1 



Therefore log (1/(5) = 17 (log 1/A). ■ 

Having lower-bounded Ql (Subset (G, S)) in terms of 1/A, it remains only to upper-bound the variation 

distance A. The following proposition implies that for all constants e > 0, if 5 is chosen uniformly at random 
subject to |S'| = |G|^^^"^^, then Ql (Subset (G, S)) = fl (log (|G|)) with constant probability over S. 

Theorem 18 For all groups G and integers X e {1, . . . , |G|}; if S C G is chosen uniformly at random subject 
to \S\ = K, then A = (^^/\G\/K^ with n (1) probability over S. 



Proof. We have 



xGG 



< 



IGI 



by the Cauchy-Schwarz inequality. We claim that 
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xeG 
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for some constant c. Prom this it follows by Markov's inequality that 
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Pr 
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and hence 
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K 



1 

IGi 



with probability at least 1/2. 

Let us now prove the claim. We have 



M 



Pr [siS^ = a;] = Pr [sj = xSj] , 



where S = {si, . . . , Sk} and i,j are drawn uniformly and independently from {1, 
expectation, 
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IxeG 
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IGi 



EX 
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, K}. So by linearity of 
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^Pr[.. = .s,] + ^^ 

E hp E P'^'ii + |G 
xeG \ i,j=i I ' 
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where 



Px,ij 
Px,ijkl 



:Pr[s, 
:Pr[s, 



XSj] , 

xsj A Sfe 



XSi\ 



First we analyze Px,ij- Let ord(a;) be the order of x in G. Of the K"^ possible ordered pairs there 

are K pairs with the "pattern" ii (meaning that i = j), and K [K — 1) pairs with the pattern ij (meaning 
that i ^ j). If ord(a;) = 1 (that is, x is the identity), then we have Px,ij = Prg [sj = s^], so Px,ij = 1 under 
the pattern ii, and px,ii = under the pattern ij. On the other hand, if ord {x) > 1, then px,ij = under the 
pattern ii, and Px,ij = \ g\-i under the pattern ij. So 



1 



K 

X/ XI ^^''-^ 



1 

^2 



K{K -I] 
IGI-1 



1. 



Thougli nnncccssarily cumbersome, tlic above analysis was a warmup for the more complicated case of 
Px,ijki ■ The following table lists the expressions for Px.ijki , given ord (x) and the pattern of {i,j, k, I). 



Pattern 


Number of such 4-tuples 


ord {x) = 1 


ord {x) = 2 


ord (x) > 2 


an, iikk 
ijij 

ijji 

ml, iiki, ijii, ijjj 
ijki, ijjk 

iikl, ijkk, ijik, ijkj 
ijkl 


K{K-l) 

K{K ^1) 
AK {K - 1) 
K{K-l){K-2) 
AK {K -1){K - 2) 
K{K-l){K-2) {K-2.) 


1 










\G\-1 

\G\-l 








|G|-1 






(|G|-l)(|G|-2) 




(|G|-l)(|G|-3) 


(|G|-l)(|G|-3) 



Let r be the number of a; € G such that ord (a;) 
ord(x)>2. Then 

1 ^ 1 



2, and let r' = \G\ 



1 be the number such that 



K{K-l) ^ ^, K{K-l)(K-2) 



xGG i,j,k,l=l 



using the fact that K < \G\. 
Putting it all together, 



K'^ + i2r + r') , , (|g|_i)(|(3|_2) 

+ (^r + r') K{K^i){K-2)(K-i) 



(|G|-l)(|G|-3) 



< 
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.xeG 



Pr[x] 
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IGi 



|G|-3 



< 



+ 



1 
if2 



IGI -3 



1 

if2 



|G| ^ |G| ~ 



and we are done. ■ 

From fingerprinting we also have the following upper bound. Let q be the periodicity of S, defined as the 
number of distinct sets gS = {gs : s & S} where g G G. 

Proposition 19 (Subset (G, S)) = O (log j^l + log log g). 

Proof. Assume for simplicity that q= |G|; otherwise we could reduce to a subgroup H < G with \H\ ^ q. 

The protocol is as follows: Alice draws a uniform random prime p from the range |5|^ log^ |G| , 2 15*1^ log^ |G| 

she then sends Bob the pair {p, x modp) where x is interpreted as an integer. This takes O (log 15*1 + log log |G 
bits. Bob outputs 1 if and only if there exists a 2; e G such that zy G S and x = 2; (modp). To see the 
protocol's correctness, observe that if a; ^ 2;, then there at most log |G| primes p such that a; — 2: = (modp), 

whereas the relevant range contains O ( i<|f( | g | -|og | G | ) ) primes. Therefore, if xy ^ S, then by the union bound 



Pr [32; : zy e S,x 
p 



z(modp)] =0 |5|log|G| 



log(|g|log|G|) 
l^l'log'lGj 



o(l). 
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6 Open Problems 



• Are i?2 (/) Qh if) polynomially related for every total Boolean function /? Also, can we exhibit 
any asymptotic separation between these measures? The best separation we know of is a factor of 
2: for the equality function we have i?2 (EQ) > (1 — o (1)) log2 n, whereas Winter has shown that 
Q2 (EQ) < (1/2 + (1)) log2 n using a protocol involving mixed states. "'^^ This factor-2 savings is tight 
for equality: a simple counting argument shows that Q2 (EQ) > (1/2 — o(l))log2n; and although the 
usual randomized protocol for equality (30; uses (2 + o (1)) log2 71 bits, there exist protocols based on 
error-correcting codes that use only log2 (cn) = log2 n + O {1) bits. All of this holds for any constant 
error probability < e < 1/2. 

• As a first step toward answering the above questions, can we lower-bound (Coset(G)) for groups 
other than (such as , or nonabelian groups)? Also, can we characterize Q2 (Subset (G, S)) for all 
sets S, closing the gap between the upper and lower bounds? 

• Is there an oracle relative to which BQP/poly 7^ BQP/qpoly? 

• Can we give oracles relative to which NP n coNP and SZK are not contained in BQP/qpoly? Bennett et 
al. [7] gave an oracle relative to which NP n coNP ^ BQP, while Aaronson gave an oracle relative to 
which SZK BQP. 

• Even more ambitiously, can we prove a direct product theorem for quantum query complexity that 
applies to any partial or total function (not just search)? 

• For all / (partial or total), is i?2 (/) = O {^/n) whenever Ql (/) = O(logri)? In other words, is the 
separation of Bar-Yossef et al. [H] the best possible? 

• Can the result (/) = O {mQl {f)\ogQl (/)) for partial / be improved to (/) = O {mQ\ (/))? 
We do not even know how to rule out (/) ~ O {in + Q\ (/)). 

• In the Simultaneous Messages (SM) model, there is no direct communication between Alice and Bob; 
instead, Alice and Bob both send messages to a third party called the re/eree, who then outputs the 
function value. The complexity measure is the sum of the two message lengths. Let (/) and Q^l (/) 
be the randomized and quantum bounded-error SM complexities of / respectively, and let i?2 ''"'^ (/) 
be the randomized SM complexity if Alice and Bob share an arbitrarily long random string. Building 
on work by Buhrman et al. |TJ|, Yao [31] showed that (/) = O (logn) whenever i^P"*" (/) = 0(1). 
He then asked about the other direction: for some £ > 0, does R}^'^^^ [f) = O (n^/^~^) whenever 
0^2 if) — O(logn), and does i?2 (/) = O {n^^"^) whenever Q2 (/) = O(logn)? In an earlier version 
of this paper, we showed that -R2 (/) = O {^/n 

(i?P"N/)+log'^)), which means that a positive 
answer to Yao's first question would imply a positive answer to the second. Later we learned that Yao 
independently proved the same result (SHI. 

Here we ask a related question: can Q2 (/) ever be exponentially smaller than r}^'^^^ (/)? (Buhrman et 
al. 22 showed that Q2 (/) can be exponentially smaller than i?2 (/)•) lordanis Kerenidis has pointed 
out to us that, based on the hidden matching problem of Bar-Yossef et al. discussed in Sectional 
one can define a relation for which Q2 (/) is exponentially smaller than r}^'^^^ (/). However, as in the 
case of Q2 if) versus R2 (/), it remains to extend that result to functions. 
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